The Black Sheep of the White Hat community

On a working day in a midsummer afternoon in 2017, a Pakistani fintech company received a rather unusual email: an independent information security researcher requesting to connect with the company’s development head so he could alert him about a ‘high priority’ security issue in their system.

Within 20 minutes the company obliged, connecting their development head with the white hat or ethical hacker – tech synonyms for independent security researchers. With that commenced an hour-long correspondence between the two parties.

The startup asked if the ethical hacker could shed some light on the security vulnerability he had identified but the latter responded by saying he has found “a serious vulnerability” in their system and if they didn’t fix it, “anyone could access the whole server by uploading a simple shell within a minute”. He didn’t go into the specifics of the bug, but asked the company if there was any ‘bounty’, a monetary reward, for his [disclosure].

In the subsequent correspondence, the company once again asked him if he could share some more details regarding that vulnerability. This time they even offered him to have a conference call to discuss the matter in detail, but the hacker insisted they let him know if there was any bounty, only then would he reveal the vulnerability otherwise the fintech had to find it on its own.

“He was clearly soliciting money,” an official with direct knowledge of the development told Profit on the condition that we wouldn’t identify either party because they want good ties with the white hat community – the documentary evidence of the correspondence between the hacker and the company is available with us.

Despite a swift response from the fintech startup, the hacker went on to claim on his social media page that the company, which he identified by name, did not respond – rather ignored him.

Questions about this bounty hunter abound: did he seek permission from the fintech before testing their system? Did he do responsible disclosure? Whether his intention was honest? And most importantly, is it ethical hacking at all?

A criminal offense

The legal experts and Pakistan’s top ‘ethical’ hackers (by their own admission), penetrating a private company’s data without prior consent is a criminal offense.

“Testing [penetrating] an information system of a private business without their permission is illegal, there are no two opinions about it,” says Rafay Baloch, a renowned information security expert who commenced his career as an ethical hacker in Pakistan, later moving to the UAE to work as an independent consultant now.

With many feathers in his cap, including exposing bugs in PayPal, Android Open Source Program, and more recently in Google and Firefox web browsers, Baloch says white hats can only test those apps that run a bounty programme and make public announcements or authorize ethical hackers to test their systems for security vulnerabilities. Even in these cases, he adds, penetration testers are bound to make a responsible disclosure – communicating the ‘specific vulnerability’ to the company privately.

What if some ethical hackers fail to follow these rules, we ask Baloch. “It is happening already and on a grand scale. Every community has black sheep, white hats are no exception.”

The UAE-based information security expert tells us many bounty hunters are blackmailing startups, both local and international, only for money. “Even in the case of Careem, Pakistani hackers have been blackmailing the company for quite some time. Everyone knows it,” Baloch said, pointing to the close-knit community whose members are based mostly in Pakistan and the UAE. “These people were begging for money.”

Multiple sources within the information technology industry maintained that many of these hackers pass on this information to their friends or colleagues who also demand bounty using the same information. The ethical hackers we spoke to for this story also endorse this view.

Careem was questioned with regard to whether it experienced blackmail, especially by Pakistani hackers, but its response was still awaited till this report was filed.

Sources within Pakistan’s startup community confirmed that such malpractice was common, if not rampant. For example, both Zameen.com and Pakwheels.com, two of Pakistan’s most popular startups, were blackmailed by a group of bounty hunters who acted as ethical hackers. Later on, both the startups were hacked. In case of Zameen.com, a real estate portal, the hackers even released critical users data online – including names, passwords, email addresses and phone numbers, inviting action from the Federal Investigation Agency (FIA) cyber crime wing, National Response Center for Cyber Crime (NR3C), which arrested many members of this group in 2016.

Ethical hackers strike it rich

Starting in 2009, the bounty hunting peaked after 2012 and a lot of ethical hackers jumped on the penetration testing bandwagon, turning it into a whole new industry. They made quick money and earned international fame as tech giants started rewarding them with cash and goodies, at times mentioning their names in their hall of fame, helping build the hacker’s profile.

According to Baloch, there are 15 to 20 bugs per 1000 lines of coding and large companies like Google and Facebook have coding lines that run in millions and this is where penetration testers come in handy. These companies can’t fix every bug on their own because they don’t have enough manpower to do it – this also explains why all tech companies want to have good ties with the white hat community.

With the rising demand, a lot of techies have entered this ‘industry’ and started indulging in malpractices like blackmailing companies and sometimes leaking or selling their data in frustration when denied a bounty or ignored. These are mostly teenagers, who want to test their newly acquired skills, professionals don’t do it, Baloch says, adding these amateur hackers have created a negative perception of Pakistani hackers, making their hiring difficult in the UAE.

Even in Pakistan, the case is not much different as local startups we reached out to for this report tell us a similar story.

“They try to blackmail all the time and want bounty or consultancy assignments even for the smallest of things,” a top executive of one of Pakistan’s leading startups told Profit requesting we don’t identify him. “You get thousands of emails so you have to filter what is a threat and what is not. These bounty hunters should give you enough information before you commit to pay them,” he said.

In the case above, the hacker, who appear to be a lone wolf, didn’t seek prior consent from the company, making it a clear case of unauthorized access. On top of that, he used his corporate email from a startup, which operated from a reputable incubation center and focussed on providing education testing services, but acted as an independent bounty hunter. Even if one ignores all of this, was it ethical on his part to ask for bounty before sharing details of his findings?

“As an ethical hacker, your goal is just to report the bug. It is the right of the company whether to give a bounty or not,” says Shahmeer Amir, Chief Executive Officer of Veiliux, a Cyber Security Startup based out of Lahore. Veiliux was the first company, at least by public record, to report a security vulnerability in Careem 18 months ago, but it didn’t receive any bounty for that.

A cyber security analyst and a leading bounty hunter, Amir has helped tech giants Facebook, Microsoft, Yahoo and Twitter fix vulnerabilities in their systems. He says, ethical hackers must seek permission from the company they plan to test before accessing their servers.

Giving his own example, Amir said, before penetrating Careem, he met both Junaid Iqbal, their country head, and Talal Burney, a senior manager at the company, and told them how he felt their app might not be safe and whether he could test it. “They gave me a verbal approval for that.”

Veiliux were able penetrate Careem and access critical information including ride information, booking id, car type, and pickup and drop off locations, which he also shared on his blog after Careem made a public announcement about the Jan 14 security breach, in which private data of 14 million users was compromised.

In a recent email to Amir, Careem told him they had fixed that vulnerability immediately after he informed them and that the recent hack was different from what he had reported to them. However, this entire episode points towards SOPs practiced by ethical hackers: Amir sought permission to test their app, then made responsible disclosure – evidence available with Profit – and made full disclosure, making the security flaw public only after it was patched by the company.

Responsible disclosure?

By contrast, the hacker who tested the fintech under discussion didn’t share specific details regarding the bug he claimed to have found in the app. Since the correspondence between the two parties hit a deadlock over disclosure of information, it merits a question: how much information should be disclosed as per responsible disclosure?

“When they [hackers] show screenshots of information or data they have accessed, we know they have penetrated our system and got something,” said the CEO of a renowned startup. Based on that information, the company’s own development team can assess the impact of that vulnerability and find out whether it is of critical importance, he said. “This is how you build trust and take these people on board for resolving the issue.”

Veiliux as well as Daniyal Nasir and another hacker who had identified security bugs in Careem’s system last year, shed more light on responsible disclosure. In both cases screenshots of the vulnerability had been shared with the company privately.

Nasir had managed access to critical information of Careem’s global user base, including live location of cars, vehicle registration numbers, ID card numbers, phone numbers, pictures and emails, but unlike that fintech case, he made responsible disclosure before expecting a bounty.

“If somebody asks for money first, it is wrong and he is responsible for his own actions, but asking whether a company has a bounty programme has no harm,” Nasir told Profit. Asked if he sought Careem’s permission before testing their system, he answered in the negative. This unauthorized access – regardless of his ethical handling of the matter – can get him trouble then, right? Actually, no, or this is at least what we understand from Baloch’s interpretation of Pakistan’s cyber crime law.

The cyber crime law has legalized unauthorized testing by adding the dishonesty clause, Baloch said in reference to Section 6 of The Prevention of Electronic Crimes Act (PECA) 2016, which states: “Whoever with dishonest intention gains unauthorized access to critical infrastructure information system or data shall be punished with imprisonment which may extend to three years or with fine which may extend to Rs1 million or with both.”

“Who will prove if the researcher’s intention was honest or not,” Baloch questioned. “If caught, I can say I did it in the larger public interest and go scot free.”

However, Aun Abbas, former Deputy Director of NR3C and a key member of the team that wrote PECA 2016, seems to disagree with Baloch and insists the law deeply covers this subject.

Using a layman’s explanation for the said clause, Abbas said, “If someone leaves the door of his house open, does it give you the right to enter their premises, No! And what if the doors are closed, even if not locked? You don’t have the right to enter, this is trespass.”  

The hacks at Zameen.com, Pakwheels.com and Daewoo Bus service were all acts of unauthorized access thus illegal, says the expert who was instrumental in busting PakBugs, a gang of hackers involved in online fraud and illegal access to many local and international websites. Then former NR3C officer helped FIA arrest five members of that gang in 2010 and later in 2016 played a key role in identifying attackers behind Zameen.com and Pakwheels.com security breaches.

Massive amount of critical data

Following the law is one thing, but wouldn’t it be a public service to test the cyber security soundness of companies that sit atop massive amount of critical data but lack resources to fix all the bugs internally and don’t even run any bounty programs? After all, Careem was informed about the vulnerabilities in its system by at least two Pakistani hackers a year in advance, which if not ignored, could have possibly saved it from the recent breach. In fact, Telenor Bank, where

Abbas is chief information security officer, manages the country’s largest mobile payment service EasyPaisa, but has no third-party bounty programme on offer. This is despite the fact that it was hacked in the past.

“If there is no bounty programme or authorization from the company being tested, then you can say you are giving a pro bono (for the public good) service,” Abbas says. But this brings us back to the article 6 of PECA 2016. So how do we find if the intention was honest. To this, Abbas says by seeing the trail of activity, one can find out whether the access was “intentional or unintentional, honest or dishonest, legal or illegal”.

So is there a way to counter this menace? Abbas thinks part of the problem is lack of awareness regarding cyber crimes and critical data. The government should declare information of telcos, Nadra and banks as critical data to create deterrence, he suggests. Similarly, information security should be adopted by academia because presently on a handful of universities are teaching that subject.

“We should make a national information security forum and register all the ethical hackers and cyber security companies with it. In fact, we should register specialists from all areas of information security on that forum,” Abbas said, implying only registered members should be allowed to test applications.

Though he co-authored the country’s cyber crime law and defends it, Abbas suggests it will take a lot more to improve the country’s cyber security scene. “The current legislation addresses cyber crime, but there should be separate law for cyber security.”